develooper Front page | perl.perl5.porters | Postings from August 2021

Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC

Thread Previous | Thread Next
From:
Dan Book
Date:
August 14, 2021 17:20
Subject:
Re: CVE-2021-36770: Encode.pm loads code from outside expected @INC
Message ID:
CABMkAVVfE-Q0BCcauBh98EA3mdxs3syGJmMvckm2fdjF7w0Jog@mail.gmail.com
On Sat, Aug 14, 2021 at 1:18 PM Dan Book <grinnz@gmail.com> wrote:

> On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote:
>
>> "Ricardo Signes" writes:
>> > I have attached a fix for a bug in Encode, registered as
>> > CVE-2021-36770.  This bug replaces the contents of @INC with a
>> > predictable integer, which is treated as a directory relative to the
>> > current working directory, long enough to execute one "require".
>>
>> I've decided to put a different fix in Cygwin's Perl:
>>
>> --8<---------------cut here---------------start------------->8---
>> --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm
>> +++ src/perl-5.32.1/cpan/Encode/Encode.pm
>> @@ -65,8 +65,7 @@
>>  eval {
>>      local $SIG{__DIE__};
>>      local $SIG{__WARN__};
>> -    local @INC = @INC || ();
>> -    pop @INC if $INC[-1] eq '.';
>> +    local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm"
>> )) ); # where enc2xs would have installed it
>>      require Encode::ConfigLocal;
>>  };
>>
>>
>> --8<---------------cut here---------------end--------------->8---
>>
>
> A less fragile version of this would be:
>
> require File::Basename;
> local @INC = File::Basename::dirname($INC{'Encode.pm'});
>

And probably should be using __FILE__ instead of the %INC entry since this
*is* Encode.pm.

-Dan

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About